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40 



48, Rules 



42, Sample packet 1 : N 




r 


44, collect and log source info. 




r 


46, Collect and log 
destination info. 




r 


50, Analyze collected source and 
destination info. 




r 


52, Generate messages to 
data center 24 



FIG. 4 
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32 



32a Statistic Collection 
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33a, Packet ratio process. 
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33b, Repressor Traffic Process 


l 
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33 c, TCP Handshake Analysis 


i 
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33 d, Layer 3-7 analysis 


i 
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33e, Logging and Historical 
analysis 



J 



FIG. 6 
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i 



Obtain ratio of packets 
In/Out, 82 



threshold 



Compare packet ratio to 
threshold, 84 



>2 



Store and stamp, 86 




yes 



Raise alarm to 
Control Center, 90 
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Forward SYN Packet 
from client, 102 




f 


Forward SYN ACK Packet 
from server to client, 104 




r 


Gateway 26 immediately 
sends ACK to client, 106 




f 




Time out period expires, 108 



DID ACK arrive from 
client? 110 


1 


no 

r 



Count, 111 



yes 



Forward ACK, 114 



Send reset to close 
connection, 112 



Normal traffic exit, 116 




exit 



FIG. 10 
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130 



132, Collect information 
about network traffic 



p* 5 

w 



i •:■ i 



134, build histogram for at 
least one attribute or function 
of network traffic 



137, determine 
normal values 



136, determine if values of 

attribute exceed normal 
threshold values for attribute 




139, characterizing process 



FIG. 1 1 



140, voting process 
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142, produce attack 
histograms 



143, determine 
normal 
histograms 



144, normalize histogram for 
each parameter 



OR 



w 

M 



146, determine difference 
between attack and historical 
histograms 




r 


148 compute significant 
outliers 




r 


150, correlation histogram 




r 



151, optional noise reduction 
filtering 



v 



FIG. 12 
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154, install filters 
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FIG. 13 



Matter No.: 12221-010001 Page 14 of 16 

Applicant(s): Massimiliano Antonio Poletto et al. 
DENIAL OF SERVICE ATTACKS CHARACTERIZATION 



170 



X 


172, construct master correlation 
vector 






r 




174, initialize packet correlation 
bit vector 


parameter 
suspicious 
vector 






r 


► 


176, retrieve parameter 
in suspicious vector 






r 




178, construct packet 
correlation vector 



180, use packet correlation 
vector to index master 
correlation vector 
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